A Breach Too Far

Experts on cybersecurity warn that law firms need to fear the same kind of illegal intrusions into confidential information maintained on their computer systems that already are striking government entities and private corporations with increasing frequency.

There is a good reason why law firms are an excellent target for cyberattacks, said Bradford A. Bleier, a unit chief in the Cyber Division of the FBI, who was one of the speakers addressing the issue in November at the 19th Annual Review of the Field of National Security Law. The two-day conference in Washington, D.C., was co-sponsored by the ABA Standing Committee on Law and National Security in conjunction with the law schools at the University of Virginia and Duke University.

Other speakers at the conference said law firms face difficult ethics quandaries in conjunction with thefts of information from their computers.

A key question, said Stewart A. Baker, a partner at Steptoe & Johnson in Washington, D.C., is what to tell clients when there has been a breach of confidential information. Baker recounted one incident in which the FBI informed a law firm’s managing partner that it had identified confidential information from the firm in messages being sent to a foreign country. Asked what he would tell his clients, the managing partner reportedly said, “I’m not even sure I’m going to tell my partners.”

Under the ABA Model Rules of Professional Conduct, that would have been the wrong answer, said Thomas D. Morgan, a professor who teaches ethics at the George Washington University Law School in Washington, D.C. (The Model Rules have been adopted in full or in part by every state except California.)

“The cover-up can be worse than the original offense,” said Morgan, who noted that Model Rule 1.4 (Communications) “means you have an explicit requirement to tell the client because it’s the client who ultimately will have to decide what to do about it.”

But despite that mandate of Rule 1.4, there are circumstances that raise questions about when and to what extent it must be followed to the letter, said Stewart, a member of the advisory committee to the Law and National Security Committee. One question, for instance, is whether a law firm has an obligation to inform a client when it can’t be determined whether the client’s information was compromised in a cybersecurity breach.

NET WORTH

Morgan said other ethics issues are triggered by Model Rule 1.6 (Confidentiality of Information), which prohibits a lawyer from revealing information relating to a client without the informed consent of the client. The problem, he said, is that the rule does not directly cover situations in which client information was stolen from the firm in a cyberattack.

In such cases, Comment 16 to Rule 1.6 may apply, Morgan said. The comment says a lawyer should “act competently” to safeguard client information “against inadvertent or unauthorized disclosure” by the lawyer or by others who are under the lawyer’s supervision.

But the question of what “act competently” means in the context of cybersecurity hasn’t yet been answered, and efforts to do so may affect the relationship between lawyers and clients, Morgan suggested. He said the ABA and state ethics authorities may need to rethink opinions stating that firms are not required to encrypt e-mails. And Stewart said more clients may want to keep information within their own systems and share it with their lawyers as necessary.

For now, Morgan said, the risk of professional discipline or malpractice claims for not informing clients of cybersecurity breaches is higher than lawyers would face for the thefts themselves because of the difficulties in preventing them.

The FBI’s Bleier attested to the vulnerability of information stored in computers. “If you have really critical information,” he said, “at some level you’ve got to evaluate whether it should be on the Net.”